oss-security - Re: backdoor in upstream xz/liblzma leading to ssh server compromise

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <20240417143854.66rgilsjticr3cp5@jwilk.net>
Date: Wed, 17 Apr 2024 16:38:54 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: <oss-security@...ts.openwall.com>
Subject: Re: backdoor in upstream xz/liblzma leading to ssh
 server compromise

* Andres Freund <andres@...razel.de>, 2024-03-29 08:51:
>d) LANG needs to be set

If timing "sshd -h" is a reliable method of checking if the backdoor is 
active, then this is not correct. It seems all you need is non-empty 
environment:

    # time env -i /usr/sbin/sshd -h 2>/dev/null

    real    0m0.009s
    user    0m0.004s
    sys     0m0.005s

    # time env -i X= /usr/sbin/sshd -h 2>/dev/null

    real    0m0.345s
    user    0m0.337s
    sys     0m0.009s

Further evidence that LANG doesn't matter:
* LANG is not on the list of extracted strings[0].
* Some folks[1][2] misspelled LANG as LC_LANG, and apparently it still 
worked.

[0] https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01
[1] https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504
[2] https://github.com/binarly-io/binary-risk-intelligence/tree/master/xz-backdoor

>I am *not* a security researcher, nor a reverse engineer.

Congrats, you've just made a lot of people feel inadequate. :P

-- 
Jakub Wilk

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.